summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-08-24 13:42:48 -0400
committerRob Crittenden <rcritten@redhat.com>2009-08-26 09:51:19 -0400
commit08fc563212faeca9aa4dc9339acedcac3751ca5d (patch)
tree324c0c5ed15a24b0a8a2fd8ecaf153e561c51530
parent7a7041045e127e0537bd5eb1592bf58c846bb64d (diff)
downloadfreeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.gz
freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.xz
freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.zip
Generate CRLs and make them available from the IPA web server
-rw-r--r--install/conf/ipa.conf10
-rw-r--r--ipa.spec.in8
-rw-r--r--ipaserver/install/cainstance.py46
-rw-r--r--selinux/Makefile5
-rw-r--r--selinux/ipa_httpd/ipa_httpd.te16
5 files changed, 81 insertions, 4 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 9656fdf3..5ca13d37 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -41,6 +41,9 @@ Alias /ipa/errors "/usr/share/ipa/html"
# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"
+# For CRL publishing
+Alias /ipa/crl "/var/lib/pki-ca/publish"
+
<Location "/ipa/xml">
AuthType Kerberos
AuthName "Kerberos Login"
@@ -72,6 +75,13 @@ Alias /ipa/config "/usr/share/ipa/html"
Allow from all
</Directory>
+<Directory "/var/lib/pki-ca/publish">
+ AllowOverride None
+ Options Indexes FollowSymLinks
+ Satisfy Any
+ Allow from all
+</Directory>
+
# Protect our CGIs
<Directory /var/www/cgi-bin>
AuthType Kerberos
diff --git a/ipa.spec.in b/ipa.spec.in
index 32f3d999..cd38b05a 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -287,7 +287,7 @@ if [ -s /etc/selinux/config ]; then
fi
%post server-selinux
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp
+semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
@@ -309,7 +309,7 @@ fi
%postun server-selinux
if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_webgui ipa_kpasswd
+semodule -s targeted -r ipa_webgui ipa_kpasswd ipa_httpd
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
@@ -376,6 +376,7 @@ fi
%files server-selinux
%{_usr}/share/selinux/targeted/ipa_webgui.pp
%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
+%{_usr}/share/selinux/targeted/ipa_httpd.pp
%files client
%doc LICENSE README
@@ -432,6 +433,9 @@ fi
%endif
%changelog
+* Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7
+- Added httpd SELinux policy so CRLs can be read
+
* Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6
- Move ipalib to ipa-python subpackage
- Bump minimum version of slapi-nis to 0.15
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5ade4716..054ceaf2 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -409,6 +409,7 @@ class CAInstance(service.Service):
self.step("adding RA agent as a trusted user", self.__configure_ra)
self.step("fixing RA database permissions", self.fix_ra_perms)
self.step("setting up signing cert profile", self.__setup_sign_profile)
+ self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("configuring certificate server to start on boot", self.__enable)
self.step("restarting certificate server", self.__restart_instance)
@@ -827,6 +828,51 @@ class CAInstance(service.Service):
# Tell the profile to automatically issue certs for RAs
installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
+ def __enable_crl_publish(self):
+ """
+ Enable file-based CRL publishing and disable LDAP publishing.
+
+ http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
+ """
+ caconfig = "/var/lib/pki-ca/conf/CS.cfg"
+
+ publishdir='/var/lib/pki-ca/publish'
+ os.mkdir(publishdir)
+ os.chmod(publishdir, 0755)
+ pent = pwd.getpwnam(self.pki_user)
+ os.chown(publishdir, pent.pw_uid, pent.pw_gid )
+
+
+ # Enable file publishing, disable LDAP
+ installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.ldappublish.enable', 'false', quotes=False, separator='=')
+
+ # Create the file publisher, der only, not b64
+ installutils.set_directive(caconfig, 'ca.publish.publisher.impl.FileBasedPublisher.class','com.netscape.cms.publish.publishers.FileBasedPublisher', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt', 'bin', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink', 'true', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName', 'FileBasedPublisher', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp', 'LocalTime', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs', 'false', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel', '9', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64', 'false', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der', 'true', quotes=False, separator='=')
+
+ # The publishing rule
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.enable', 'true', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.mapper', 'NoMap', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.pluginName', 'Rule', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.predicate=', '', quotes=False, separator='')
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.publisher', 'FileBaseCRLPublisher', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.type', 'crl', quotes=False, separator='=')
+
+ # Now disable LDAP publishing
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCaCertRule.enable', 'false', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCrlRule.enable', 'false', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
+
def uninstall(self):
try:
ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",
diff --git a/selinux/Makefile b/selinux/Makefile
index a662d2fd..9c2ed091 100644
--- a/selinux/Makefile
+++ b/selinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = ipa_webgui ipa_kpasswd
+SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd
POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
@@ -23,6 +23,7 @@ install: all
install -d $(POLICY_DIR)
install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR)
install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
+ install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
load:
- /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp
+ /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
new file mode 100644
index 00000000..a13ebc12
--- /dev/null
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -0,0 +1,16 @@
+module ipa_httpd 1.0;
+
+require {
+ type pki_ca_var_lib_t;
+ type httpd_t;
+ class lnk_file { read getattr };
+ class dir { read search open getattr };
+ class file { getattr read open execute };
+}
+
+# Let Apache read the directories within the certificate authority
+# so it can read the published CRLs.
+allow httpd_t pki_ca_var_lib_t:dir { read search open getattr };
+allow httpd_t pki_ca_var_lib_t:file { read getattr open };
+allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr };
+